Vulnerability Impact

Impact can differ based on the exploitation and the read and/or write permission of the web server user. Depending on these factors an attacker may be able to execute LFI {Local File Inclusion} and/or RCE {Remote Code Execution}. In this example, XSS.Cx was able to read and write to the Local File System and perform Remote Code Execition.

Required Skills for Successful Exploitation

Significant attacking skills are required because there is no tool or automated way to exploit this type of vulnerability. The attack consists of three phases. Detecting the vulnerability, then finding malicious code (or if possible create one, by uploading an image, etc.) on the targeted system and finally including that code via the identified vulnerability to run it. Generally the attacker needs to find the physical path of server access logs or needs to upload an image to server or abuse /proc/self/ functionality in Linux systems where possible.

LFI + RCE Proof of Concept {PoC}

Issue detail

The lang parameter was vulnerable to path traversal attacks, enabling read and write access to arbitrary files on the server.

The Expression ../../../../../../../../../../../../../../../../etc/passwd%00en was submitted in the lang parameter. The requested file was returned in the application's response. Manual exploitation resulted in RCE.